From 0b9b0d9fca966919da1151843a891a397be98546 Mon Sep 17 00:00:00 2001
From: Ben Schwartzman <ben.schwartzman@tamr.com>
Date: Wed, 25 Aug 2021 02:45:10 -0400
Subject: [PATCH 1/2] Add optional sas token submodule

---
 CHANGELOG.md                         |  3 ++
 VERSION                              |  2 +-
 examples/minimal/main.tf             |  8 ++++
 modules/azure-sas-token/README.md    | 61 ++++++++++++++++++++++++++++
 modules/azure-sas-token/main.tf      | 32 +++++++++++++++
 modules/azure-sas-token/outputs.tf   |  5 +++
 modules/azure-sas-token/variables.tf | 20 +++++++++
 modules/azure-sas-token/versions.tf  |  7 ++++
 8 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 modules/azure-sas-token/README.md
 create mode 100644 modules/azure-sas-token/main.tf
 create mode 100644 modules/azure-sas-token/outputs.tf
 create mode 100644 modules/azure-sas-token/variables.tf
 create mode 100644 modules/azure-sas-token/versions.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 518dce4..f03fc15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Tamr Terraform ADLS Gen2 module
 
+# v1.1.0 - Aug 25th 2021
+* Add optional `azure-sas-token` submodule
+
 # v1.0.0 - June 1st 2021
 * Upgrade `azurerm` provider
 * Upgrade `azuread` provider
diff --git a/VERSION b/VERSION
index 3eefcb9..9084fa2 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.0.0
+1.1.0
diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf
index e756c3b..26b172a 100644
--- a/examples/minimal/main.tf
+++ b/examples/minimal/main.tf
@@ -41,3 +41,11 @@ module "rules" {
   allowed_ips          = ["4.3.2.1"]
   allowed_subnet_ids   = [azurerm_subnet.example-subnet.id]
 }
+
+module "sas-token" {
+  source = "../../modules/azure-sas-token"
+
+  storage_account_primary_connection_string = module.minimal.storage_account_primary_connection_string
+  start_time                                = "2021-01-1T00:00:00Z"
+  end_time                                  = "2021-12-31T00:00:00Z"
+}
diff --git a/modules/azure-sas-token/README.md b/modules/azure-sas-token/README.md
new file mode 100644
index 0000000..b154a78
--- /dev/null
+++ b/modules/azure-sas-token/README.md
@@ -0,0 +1,61 @@
+# Tamr Azure SAS token module
+
+This terraform module creates a Shared Access Signature for an existing storage account
+
+## Assumptions
+* A resource group exists
+* A storage account exists for which the token will be created
+
+# Examples
+## Basic
+`terraform apply`
+
+main.tf:
+```
+module "sas-token" {
+  source = "git::https://github.com/Datatamer/terraform-azure-adls-gen2.git//modules/azure-sas-token?ref=x.y.z"
+
+  storage_account_primary_connection_string = azurerm_storage_account.adls2_storage.primary_connection_string
+  start_time                                = "2021-01-1T00:00:00Z"
+  end_time                                  = "2021-12-31T00:00:00Z"
+}
+```
+
+## SAS token
+Smallest complete fully working example with a SAS Token. This example might require extra resources to run the example.
+- [Minimal](https://github.com/Datatamer/terraform-adls-gen2/tree/master/examples/minimal)
+
+# Resources Created
+This modules creates no new resources
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12 |
+| azuread | >= 1.5.0 |
+| azurerm | >= 2.60.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| azurerm | >= 2.60.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| end\_time | The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
+| start\_time | The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
+| storage\_account\_primary\_connection\_string | Primary connection string associated with the storage account for which the token will be created | `string` | n/a | yes |
+| signed\_version | Specifies the signed storage service version to use to authorize requests made with this account SAS | `string` | `"2017-07-29"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| sas\_url\_query\_string | Token for client usage |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/azure-sas-token/main.tf b/modules/azure-sas-token/main.tf
new file mode 100644
index 0000000..dfea416
--- /dev/null
+++ b/modules/azure-sas-token/main.tf
@@ -0,0 +1,32 @@
+data "azurerm_storage_account_sas" "sas_token" {
+  connection_string = var.storage_account_primary_connection_string
+  https_only        = true
+  signed_version    = var.signed_version
+
+  resource_types {
+    service   = true
+    container = true
+    object    = true
+  }
+
+  services {
+    blob  = true
+    queue = false
+    table = false
+    file  = true
+  }
+
+  start  = var.start_time
+  expiry = var.end_time
+
+  permissions {
+    read    = true
+    write   = true
+    delete  = false
+    list    = true
+    add     = true
+    create  = true
+    update  = false
+    process = false
+  }
+}
diff --git a/modules/azure-sas-token/outputs.tf b/modules/azure-sas-token/outputs.tf
new file mode 100644
index 0000000..b640484
--- /dev/null
+++ b/modules/azure-sas-token/outputs.tf
@@ -0,0 +1,5 @@
+output "sas_url_query_string" {
+  description = "Token for client usage"
+  value       = data.azurerm_storage_account_sas.sas_token.sas
+  sensitive   = true
+}
diff --git a/modules/azure-sas-token/variables.tf b/modules/azure-sas-token/variables.tf
new file mode 100644
index 0000000..9d3f106
--- /dev/null
+++ b/modules/azure-sas-token/variables.tf
@@ -0,0 +1,20 @@
+variable "storage_account_primary_connection_string" {
+  description = "Primary connection string associated with the storage account for which the token will be created"
+  type        = string
+}
+
+variable "signed_version" {
+  description = "Specifies the signed storage service version to use to authorize requests made with this account SAS"
+  type        = string
+  default     = "2017-07-29"
+}
+
+variable "start_time" {
+  description = "The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string"
+  type        = string
+}
+
+variable "end_time" {
+  description = "The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string"
+  type        = string
+}
diff --git a/modules/azure-sas-token/versions.tf b/modules/azure-sas-token/versions.tf
new file mode 100644
index 0000000..c7191fa
--- /dev/null
+++ b/modules/azure-sas-token/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    azuread = ">= 1.5.0"
+    azurerm = ">= 2.60.0"
+  }
+}

From d2c5c1cfd662af2f9443ec7ab72890846ee63253 Mon Sep 17 00:00:00 2001
From: Ben Schwartzman <ben.schwartzman@tamr.com>
Date: Tue, 7 Sep 2021 22:33:06 -0400
Subject: [PATCH 2/2] Make delete permission configurable

---
 modules/azure-sas-token/README.md    | 1 +
 modules/azure-sas-token/main.tf      | 2 +-
 modules/azure-sas-token/variables.tf | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/azure-sas-token/README.md b/modules/azure-sas-token/README.md
index b154a78..a6bd8c2 100644
--- a/modules/azure-sas-token/README.md
+++ b/modules/azure-sas-token/README.md
@@ -50,6 +50,7 @@ This modules creates no new resources
 | end\_time | The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
 | start\_time | The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
 | storage\_account\_primary\_connection\_string | Primary connection string associated with the storage account for which the token will be created | `string` | n/a | yes |
+| delete\_allowed | Whether or not to give this token permission to delete blobs | `bool` | `false` | no |
 | signed\_version | Specifies the signed storage service version to use to authorize requests made with this account SAS | `string` | `"2017-07-29"` | no |
 
 ## Outputs
diff --git a/modules/azure-sas-token/main.tf b/modules/azure-sas-token/main.tf
index dfea416..b6c16a0 100644
--- a/modules/azure-sas-token/main.tf
+++ b/modules/azure-sas-token/main.tf
@@ -22,7 +22,7 @@ data "azurerm_storage_account_sas" "sas_token" {
   permissions {
     read    = true
     write   = true
-    delete  = false
+    delete  = var.delete_allowed
     list    = true
     add     = true
     create  = true
diff --git a/modules/azure-sas-token/variables.tf b/modules/azure-sas-token/variables.tf
index 9d3f106..50b6871 100644
--- a/modules/azure-sas-token/variables.tf
+++ b/modules/azure-sas-token/variables.tf
@@ -18,3 +18,9 @@ variable "end_time" {
   description = "The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string"
   type        = string
 }
+
+variable "delete_allowed" {
+  description = "Whether or not to give this token permission to delete blobs"
+  type        = bool
+  default     = false
+}